WLAN Commands

clear ipv6 neighbor-binding

To clear the IPv6 neighbor binding table entries or counters, use the clear ipv6 neighbor-binding command.

clear ipv6 neighbor-binding { table { mac mac_address | vlan vlan_id | port port | ipv6 ipv6-address | all} | counters}

Syntax Description

table

Clears the IPv6 neighbor binding table.

mac

Clears the neighbor binding table entries for a MAC address.

mac_address

MAC address of the client.

vlan

Clears the neighbor binding table entries for a VLAN.

vlan_id

VLAN identifier.

port

Clears the neighbor binding table entries for a port.

port

Port number.

ipv6

Clears the neighbor binding table entries for an IPv6 address.

ipv6_address

IPv6 address of the client.

all

Clears the entire neighbor binding table.

counters

Clears IPv6 neighbor binding counters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the IPv6 neighbor binding table entries for a VLAN:

(Cisco Controller) >clear ipv6 neighbor-binding table vlan 1

config 802.11 dtpc

To enable or disable the Dynamic Transmit Power Control (DTPC) setting for an 802.11 network, use the config 802.11 dtpc command.

config 802.11{ a | b} dtpc { enable | disable}

Syntax Description

a

Specifies the 802.11a network.

b

Specifies the 802.11b/g network.

enable

Enables the support for this command.

disable

Disables the support for this command.

Command Default

The default DTPC setting for an 802.11 network is enabled.

Command History

Release Modification

7.6

This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable DTPC for an 802.11a network:


(Cisco Controller) > config 802.11a dtpc disable

config client ccx clear-reports

To clear the client reporting information, use the config client ccx clear-reports command.

config client ccx clear-reports client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the reporting information of the client MAC address 00:1f:ca:cf:b6:60:

(Cisco Controller) >config client ccx clear-reports 00:1f:ca:cf:b6:60

config client ccx clear-results

To clear the test results on the controller, use the config client ccx clear-results command.

config client ccx clear-results client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the test results of the client MAC address 00:1f:ca:cf:b6:60:

(Cisco Controller) >config client ccx clear-results 00:1f:ca:cf:b6:60

config client ccx default-gw-ping

To send a request to the client to perform the default gateway ping test, use the config client ccx default-gw-ping command.

config client ccx default-gw-ping client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to the client00:0b:85:02:0d:20 to perform the default gateway ping test:

(Cisco Controller) >config client ccx default-gw-ping 00:0b:85:02:0d:20

config client ccx dhcp-test

To send a request to the client to perform the DHCP test, use the config client ccx dhcp-test command.

config client ccx dhcp-test client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

 This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DHCP test:

(Cisco Controller) >config client ccx dhcp-test 00:E0:77:31:A3:55

config client ccx dns-ping

To send a request to the client to perform the Domain Name System (DNS) server IP address ping test, use the config client ccx dns-ping command.

config client ccx dns-ping client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to a client to perform the DNS server IP address ping test:

(Cisco Controller) >config client ccx dns-ping 00:E0:77:31:A3:55

config client ccx dns-resolve

To send a request to the client to perform the Domain Name System (DNS) resolution test to the specified hostname, use the config client ccx dns-resolve command.

config client ccx dns-resolve client_mac_address host_name

Syntax Description

client_mac_address

MAC address of the client.

host_name

Hostname of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DNS name resolution test to the specified hostname:

(Cisco Controller) >config client ccx dns-resolve 00:E0:77:31:A3:55 host_name

config client ccx get-client-capability

To send a request to the client to send its capability information, use the config client ccx get-client-capability command.

config client ccx get-client-capability client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send its capability information:

(Cisco Controller) >config client ccx get-client-capability 172.19.28.40

config client ccx get-manufacturer-info

To send a request to the client to send the manufacturer’s information, use the config client ccx get-manufacturer-info command.

config client ccx get-manufacturer-info client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send the manufacturer’s information:

(Cisco Controller) >config client ccx get-manufacturer-info 172.19.28.40

config client ccx get-operating-parameters

To send a request to the client to send its current operating parameters, use the config client ccx get-operating-parameters command.

config client ccx get-operating-parameters client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send its current operating parameters:

(Cisco Controller) >config client ccx get-operating-parameters 172.19.28.40

config client ccx get-profiles

To send a request to the client to send its profiles, use the config client ccx get-profiles command.

config client ccx get-profiles client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send its profile details:

(Cisco Controller) >config client ccx get-profiles 172.19.28.40

config client ccx log-request

To configure a Cisco client eXtension (CCX) log request for a specified client device, use the config client ccx log-request command.

config client ccx log-request { roam | rsna | syslog} client_mac_address

Syntax Description

roam

(Optional) Specifies the request to specify the client CCX roaming log.

rsna

(Optional) Specifies the request to specify the client CCX RSNA log.

syslog

(Optional) Specifies the request to specify the client CCX system log.

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the request to specify the client CCS system log:

(Cisco Controller) >config client ccx log-request syslog 00:40:96:a8:f7:98
Tue Oct 05 13:05:21 2006
SysLog Response LogID=1: Status=Successful
Event Timestamp=121212121212
Client SysLog = 'This is a test syslog 2'
Event Timestamp=121212121212
Client SysLog = 'This is a test syslog 1'
Tue Oct 05 13:04:04 2006
SysLog Request LogID=1

The following example shows how to specify the client CCX roaming log:

(Cisco Controller) >config client ccx log-request roam 00:40:96:a8:f7:98
Thu Jun 22 11:55:14 2006
Roaming Response LogID=20: Status=Successful
Event Timestamp=121212121212
Source BSSID=00:40:96:a8:f7:98, Target BSSID=00:0b:85:23:26:70,
Transition Time=100(ms)
Transition Reason: Unspecified Transition Result: Success
Thu Jun 22 11:55:04 2006
Roaming Request LogID=20
Thu Jun 22 11:54:54 2006
Roaming Response LogID=19: Status=Successful
Event Timestamp=121212121212
Source BSSID=00:40:96:a8:f7:98, Target BSSID=00:0b:85:23:26:70,
Transition Time=100(ms)
Transition Reason: Unspecified Transition Result: Success
Thu Jun 22 11:54:33 2006  Roaming Request LogID=19

The following example shows how to specify the client CCX RSNA log:

(Cisco Controller) >config client ccx log-request rsna 00:40:96:a8:f7:98
Tue Oct 05 11:06:48 2006
RSNA Response LogID=2: Status=Successful
Event Timestamp=242424242424
Target BSSID=00:0b:85:23:26:70
RSNA Version=1
Group Cipher Suite=00-x0f-ac-01
Pairwise Cipher Suite Count = 2
Pairwise Cipher Suite 0 = 00-0f-ac-02
Pairwise Cipher Suite 1 = 00-0f-ac-04
AKM Suite Count = 2
KM Suite 0 = 00-0f-ac-01
KM Suite 1 = 00-0f-ac-02
SN Capability = 0x1
PMKID Count = 2
PMKID 0 = 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16
PMKID 1 = 0a 0b 0c 0d 0e 0f 17 18 19 20 1a 1b 1c 1d 1e 1f
802.11i Auth Type: EAP_FAST
RSNA Result: Success

config client ccx send-message

To send a message to the client, use the config client ccx send-message command.

config client ccx send-message client_mac_address message_id

Syntax Description

client_mac_address

MAC address of the client.

message_id

Message type that involves one of the following:

  • 1—The SSID is invalid.

  • 2—The network settings are invalid.

  • 3—There is a WLAN credibility mismatch.

  • 4—The user credentials are incorrect.

  • 5—Please call support.

  • 6—The problem is resolved.

  • 7—The problem has not been resolved.

  • 8—Please try again later.

  • 9—Please correct the indicated problem.

  • 10—Troubleshooting is refused by the network.

  • 11—Retrieving client reports.

  • 12—Retrieving client logs.

  • 13—Retrieval complete.

  • 14—Beginning association test.

  • 15—Beginning DHCP test.

  • 16—Beginning network connectivity test.

  • 17—Beginning DNS ping test.

  • 18—Beginning name resolution test.

  • 19—Beginning 802.1X authentication test.

  • 20—Redirecting client to a specific profile.

  • 21—Test complete.

  • 22—Test passed.

  • 23—Test failed.

  • 24—Cancel diagnostic channel operation or select a WLAN profile to resume normal operation.

  • 25—Log retrieval refused by the client.

  • 26—Client report retrieval refused by the client.

  • 27—Test request refused by the client.

  • 28—Invalid network (IP) setting.

  • 29—There is a known outage or problem with the network.

  • 30—Scheduled maintenance period.

    (continued on next page)

message_type (cont.)

  • 31—The WLAN security method is not correct.

  • 32—The WLAN encryption method is not correct.

  • 33—The WLAN authentication method is not correct.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a message to the client MAC address 172.19.28.40 with the message user-action-required:

(Cisco Controller) >config client ccx send-message 172.19.28.40 user-action-required

config client ccx stats-request

To send a request for statistics, use the config client ccx stats-request command.

config client ccx stats-request measurement_duration { dot11 | security} client_mac_address

Syntax Description

measurement_duration

Measurement duration in seconds.

dot11

(Optional) Specifies dot11 counters.

security

(Optional) Specifies security counters.

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify dot11 counter settings:

(Cisco Controller) >config client ccx stats-request 1 dot11 00:40:96:a8:f7:98
Measurement duration = 1
dot11TransmittedFragmentCount       = 1
dot11MulticastTransmittedFrameCount = 2
dot11FailedCount                    = 3
dot11RetryCount                     = 4
dot11MultipleRetryCount             = 5
dot11FrameDuplicateCount            = 6
dot11RTSSuccessCount                = 7
dot11RTSFailureCount                = 8
dot11ACKFailureCount                = 9
dot11ReceivedFragmentCount          = 10
dot11MulticastReceivedFrameCount    = 11
dot11FCSErrorCount                  = 12
dot11TransmittedFrameCount          = 13

config client ccx test-abort

To send a request to the client to terminate the current test, use the config client ccx test-abort command.

config client ccx test-abort client_mac_address

Syntax Description

client_mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Only one test can be pending at a time.

Examples

The following example shows how to send a request to a client to terminate the correct test settings:

(Cisco Controller) >config client ccx test-abort 11:11:11:11:11:11

config client ccx test-association

To send a request to the client to perform the association test, use the config client ccx test-association command.

config client ccx test-association client_mac_address ssid bssid 802.11{ a | b | g} channel

Syntax Description

client_mac_address

MAC address of the client.

ssid

Network name.

bssid

Basic SSID.

802.11a

Specifies the 802.11a network.

802.11b

Specifies the 802.11b network.

802.11g

Specifies the 802.11g network.

channel

Channel number.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client MAC address 00:0E:77:31:A3:55 to perform the basic SSID association test:

(Cisco Controller) >config client ccx test-association 00:E0:77:31:A3:55 ssid bssid 802.11a

config client ccx test-dot1x

To send a request to the client to perform the 802.1x test, use the config client ccx test-dot1x command.

config client ccx test-dot1x client_mac_address profile_id bssid 802.11 { a | b | g} channel

Syntax Description

client_mac_address

MAC address of the client.

profile_id

Test profile name.

bssid

Basic SSID.

802.11a

Specifies the 802.11a network.

802.11b

Specifies the 802.11b network.

802.11g

Specifies the 802.11g network.

channel

Channel number.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client to perform the 802.11b test with the profile name profile_01:

(Cisco Controller) >config client ccx test-dot1x 172.19.28.40 profile_01 bssid 802.11b

config client ccx test-profile

To send a request to the client to perform the profile redirect test, use the config client ccx test-profile command.

config client ccx test-profile client_mac_address profile_id

Syntax Description

client_mac_address

MAC address of the client.

profile_id

Test profile name.

Note 

The profile_id should be from one of the client profiles for which client reporting is enabled.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client to perform the profile redirect test with the profile name profile_01:

(Cisco Controller) >config client ccx test-profile 11:11:11:11:11:11 profile_01

config client deauthenticate

To disconnect a client, use the config client deauthenticate command.

config client deauthenticate MAC

Syntax Description

MAC

Client MAC address.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to deauthenticate a client using its MAC address:


(Cisco Controller) >config client deauthenticate 11:11:11:11:11

config ipv6 neighbor-binding

To configure the Neighbor Binding table on the Cisco wireless LAN controller, use the config ipv6 neighbor-binding command.

config ipv6 neighbor-binding { timers { down-lifetime down_time | reachable-lifetime reachable_time | stale-lifetime stale_time } | { ra-throttle { allow at-least at_least_value} | enable | disable | interval-option { ignore | passthrough | throttle } | max-through { no_mcast_RA | no-limit} | throttle-period throttle_period}}

Syntax Description

timers

Configures the neighbor binding table timeout timers.

down-lifetime

Configures the down lifetime.

down_time

Down lifetime in seconds. The range is from 0 to 86400. The default is 30 seconds.

reachable-lifetime

Configures the reachable lifetime.

reachable_time

Reachable lifetime in seconds. The range is from 0 to 86400. The default is 300 seconds.

stale-lifetime

Configures the stale lifetime.

stale_time

Stale lifetime in seconds. The range is from 0 to 86400. The default is 86400 seconds.

ra-throttle

Configures IPv6 RA throttling options.

allow

Specifies the number of multicast RAs per router per throttle period.

at_least_value

Number of multicast RAs from router before throttling. The range is from 0 to 32. The default is 1.

enable

Enables IPv6 RA throttling.

disable

Disables IPv6 RA throttling.

interval-option

Adjusts the behavior on RA with RFC3775 interval option.

ignore

Indicates interval option has no influence on throttling.

passthrough

Indicates all RAs with RFC3775 interval option will be forwarded (default).

throttle

Indicates all RAs with RFC3775 interval option will be throttled.

max-through

Specifies unthrottled multicast RAs per VLAN per throttle period.

no_mcast_RA

Number of multicast RAs on VLAN by which throttling is enforced. The default multicast RAs on vlan is 10.

no-limit

Configures no upper bound at the VLAN level.

throttle-period

Configures the throttle period.

throttle_period

Duration of the throttle period in seconds. The range is from 10 to 86400 seconds. The default is 600 seconds.

Command Default

This command is disabled by default.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the Neighbor Binding table:

(Cisco Controller) >config ipv6 neighbor-binding ra-throttle enable

config ipv6 ns-mcast-fwd

To configure the nonstop multicast cache miss forwarding, use the config ipv6 ns-mcast-fwd command.

config ipv6 ns-mcast-fwd { enable | disable}

Syntax Description

enable

Enables nonstop multicast forwarding on a cache miss.

disable

Disables nonstop multicast forwarding on a cache miss.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an nonstop multicast forwarding:

(Cisco Controller) >config ipv6 ns-mcast-fwd enable

config ipv6 ra-guard

To configure the filter for Router Advertisement (RA) packets that originate from a client on an AP, use the config ipv6 ra-guard command.

config ipv6 ra-guard ap { enable | disable}

Syntax Description

enable

Enables RA guard on an AP.

disable

Disables RA guard on an AP.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable IPv6 RA guard:


(Cisco Controller) >config ipv6 ra-guard enable

config remote-lan

To configure a remote LAN, use the config remote-lan command.

config remote-lan { enable | disable} { remote-lan-id | all}

Syntax Description

enable

Enables a remote LAN.

disable

Disables a remote LAN.

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

all

Configures all wireless LANs.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a remote LAN with ID 2:

(Cisco Controller) >config remote-lan enable 2

config remote-lan aaa-override

To configure user policy override through AAA on a remote LAN, use the config remote-lan aaa-override command.

config remote-lan aaa-override { enable | disable} remote-lan-id

Syntax Description

enable

Enables user policy override through AAA on a remote LAN.

disable

Disables user policy override through AAA on a remote LAN.

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable user policy override through AAA on a remote LAN where the remote LAN ID is 2:

(Cisco Controller) >config remote-lan aaa-override enable 2

config remote-lan acl

To specify an access control list (ACL) for a remote LAN, use the config remote-lan acl command.

config remote-lan acl remote-lan-id acl_name

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

acl_name

ACL name.

Note 

Use the show acl summary command to know the ACLs available.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify ACL1 for a remote LAN whose ID is 2:

(Cisco Controller) >config remote-lan acl 2 ACL1

config remote-lan create

To configure a new remote LAN connection, use the config remote-lan create command.

config remote-lan create remote-lan-id name

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

name

Remote LAN name. Valid values are up to 32 alphanumeric characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a new remote LAN, MyRemoteLAN, with the LAN ID as 3:

(Cisco Controller) >config remote-lan create 3 MyRemoteLAN

config remote-lan custom-web

To configure web authentication for a remote LAN, use the config remote-lan custom-web command.

config remote-lan custom-web
{ ext-webauth-url URL } | global { enable | disable } | login-page page-name | loginfailure-page { page-name | none} | logout-page { page-name | none} | webauth-type { internal | customized | external} } remote-lan-id

Syntax Description

ext-webauth-url

Configures an external web authentication URL.

URL

Web authentication URL for the Login page.

global

Configures the global status for the remote LAN.

enable

Enables the global status for the remote LAN.

disable

Disables the global status for the remote LAN.

login-page

Configures a login page.

page-name

Login page name.

none

Configures no login page.

logout-page

Configures a logout page.

none

Configures no logout page.

webauth-type

Configures the web authentication type for the remote LAN.

internal

Displays the default login page.

customized

Displays a downloaded login page.

external

Displays a login page that is on an external server.

name

Remote LAN name. Valid values are up to 32 alphanumeric characters.

remote-lan-id

Remote LAN identifier. Valid values are from 1 to 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Follow these guidelines when you use the config remote-lan custom-web command:

  • When you configure the external Web-Auth URL, do the following:

    • Ensure that Web-Auth or Web-Passthrough Security is in enabled state. To enable Web-Auth, use the config remote-lan security web-auth enable command. To enable Web-Passthrough, use the config remote-lan security web-passthrough enable command.

    • Ensure that the global status of the remote LAN is in disabled state. To enable the global status of the remote LAN, use the config remote-lan custom-web global disable command.

    • Ensure that the remote LAN is in disabled state. To disable a remote LAN, use the config remote-lan disable command.

  • When you configure the Web-Auth type for the remote LAN, do the following:

    • When you configure a customized login page, ensure that you have a login page configured. To configure a login page, use the config remote-lan custom-web login-page command.

    • When you configure an external login page, ensure that you have configured preauthentication ACL for external web authentication to function.

Examples

The following example shows how to configure an external web authentication URL for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web ext-webauth-url http://www.AuthorizationURL.com/ 3

The following example shows how to enable the global status of a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web global enable 3

The following example shows how to configure the login page for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web login-page custompage1 3

The following example shows how to configure a web authentication type with the default login page for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web webauth-type internal 3

config remote-lan delete

To delete a remote LAN connection, use the config remote-lan delete command.

config remote-lan delete remote-lan-id

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a remote LAN with ID 3:

(Cisco Controller) >config remote-lan delete 3

config remote-lan dhcp_server

To configure a dynamic host configuration protocol (DHCP) server for a remote LAN, use the config remote-lan dhcp_server command.

config remote-lan dhcp_server remote-lan-id ip_address

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

ip_addr

IPv4 address of the override DHCP server.

Command Default

0.0.0.0 is set as the default interface value.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.
8.0 This command supports only IPv4 address format.

Examples

The following example shows how to configure a DHCP server for a remote LAN with ID 3:

(Cisco Controller) >config remote-lan dhcp_server 3 209.165.200.225

config remote-lan exclusionlist

To configure the exclusion list timeout on a remote LAN, use the config remote-lan exclusionlist command.

config remote-lan exclusionlist remote-lan-id { seconds | disabled | enabled}

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

seconds

Exclusion list timeout in seconds. A value of 0 requires an administrator override.

disabled

Disables exclusion listing.

enabled

Enables exclusion listing.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the exclusion list timeout to 20 seconds on a remote LAN with ID 3:

(Cisco Controller) >config remote-lan exclusionlist 3 20

config remote-lan interface

To configure an interface for a remote LAN, use the config remote-lan interface command.

config remote-lan interface remote-lan-id interface_name

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

interface_name

Interface name.

Note 

Interface name should not be in upper case characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an interface myinterface for a remote LAN with ID 3:

(Cisco Controller) >config remote-lan interface 3 myinterface

config remote-lan ldap

To configure a remote LAN’s LDAP servers, use the config remote-lan ldap command.

config remote-lan ldap { add | delete} remote-lan-id index

Syntax Description

add

Adds a link to a configured LDAP server (maximum of three).

delete

Deletes a link to a configured LDAP server.

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

index

LDAP server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add an LDAP server with the index number 10 for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan ldap add 3 10

config remote-lan mac-filtering

To configure MAC filtering on a remote LAN, use the config remote-lan mac-filtering command.

config remote-lan mac-filtering { enable | disable} remote-lan-id

Syntax Description

enable

Enables MAC filtering on a remote LAN.

disable

Disables MAC filtering on a remote LAN.

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

Command Default

MAC filtering on a remote LAN is enabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable MAC filtering on a remote LAN with ID 3:

(Cisco Controller) >config remote-lan mac-filtering disable 3

config remote-lan max-associated-clients

To configure the maximum number of client connections on a remote LAN, use the config remote-lan max-associated-clients command.

config remote-lan max-associated-clients remote-lan-id max-clients

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

max-clients

Configures the maximum number of client connections on a remote LAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure 10 client connections on a remote LAN with ID 3:

(Cisco Controller) >config remote-lan max-associated-clients 3 10

config remote-lan radius_server

To configure the RADIUS servers on a remote LAN, use the config remote-lan radius_server command.

config remote-lan radius_server { acct {{ add | delete} server-index | { enable | disable} | interim-update { interval | enable | disable}} | auth {{ add | delete} server-index | { enable | disable } } | overwrite-interface { enable | disable} } remote-lan-id

Syntax Description

acct

Configures a RADIUS accounting server.

add

Adds a link to a configured RADIUS server.

delete

Deletes a link to a configured RADIUS server.

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

server-index

RADIUS server index.

enable

Enables RADIUS accounting for this remote LAN.

disable

Disables RADIUS accounting for this remote LAN.

interim-update

Enables RADIUS accounting for this remote LAN.

interval

Accounting interim interval. The range is from 180 to 3600 seconds.

enable

Enables accounting interim update.

disable

Disables accounting interim update.

auth

Configures a RADIUS authentication server.

enable

Enables RADIUS authentication for this remote LAN.

disable

Disables RADIUS authentication for this remote LAN.

overwrite-interface

Configures a RADIUS dynamic interface for the remote LAN.

enable

Enables a RADIUS dynamic interface for the remote LAN.

disable

Disables a RADIUS dynamic interface for the remote LAN.

Command Default

The interim update interval is set to 600 seconds.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable RADIUS accounting for a remote LAN with ID 3:

(Cisco Controller) >config remote-lan radius_server acct enable 3

config remote-lan security

To configure security policy for a remote LAN, use the config remote-lan security command.

config remote-lan security {{ web-auth { enable | disable | acl | server-precedence} remote-lan-id | { web-passthrough { enable | disable | acl | email-input} remote-lan-id}}

Syntax Description

web-auth

Specifies web authentication.

enable

Enables the web authentication settings.

disable

Disables the web authentication settings.

acl

Configures an access control list.

server-precedence

Configures the authentication server precedence order for web authentication users.

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

email-input

Configures the web captive portal using an e-mail address.

web-passthrough

Specifies the web captive portal with no authentication required.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

8.4

The 802.1X keyword was added.

Examples

The following example shows how to configure the security web authentication policy for remote LAN ID 1:

(Cisco Controller) >config remote-lan security web-auth enable 1

config remote-lan session-timeout

To configure client session timeout, use the config remote-lan session-timeout command.

config remote-lan session-timeout remote-lan-id seconds

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

seconds

Timeout or session duration in seconds. A value of zero is equivalent to no timeout.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the client session timeout to 6000 seconds for a remote LAN with ID 1:

(Cisco Controller) >config remote-lan session-timeout 1 6000

config remote-lan webauth-exclude

To configure web authentication exclusion on a remote LAN, use the config remote-lan webauth-exclude command.

config remote-lan webauth-exclude remote-lan-id { enable | disable}

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

enable

Enables web authentication exclusion on the remote LAN.

disable

Disables web authentication exclusion on the remote LAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable web authentication exclusion on a remote LAN with ID 1:


(Cisco Controller) >config remote-lan webauth-exclude 1 enable

config rf-profile band-select

To configure the RF profile band selection parameters, use the config rf-profile band-select command.

config rf-profile band-select { client-rssi rssi | cycle-count cycles | cycle-threshold value | expire { dual-band value | suppression value} | probe-response { enable | disable}} profile_name

Syntax Description

client-rssi

Configures the client Received Signal Strength Indicator (RSSI) threshold for the RF profile.

rssi

Minimum RSSI for a client to respond to a probe. The range is from -20 to -90 dBm.

cycle-count

Configures the probe cycle count for the RF profile. The cycle count sets the number of suppression cycles for a new client.

cycles

Value of the cycle count. The range is from 1 to 10.

cycle-threshold

Configures the time threshold for a new scanning RF Profile band select cycle period. This setting determines the time threshold during which new probe requests from a client come in a new scanning cycle.

value

Value of the cycle threshold for the RF profile. The range is from 1 to 1000 milliseconds.

expire

Configures the expiration time of clients for band select.

dual-band

Configures the expiration time for pruning previously known dual-band clients. After this time elapses, clients become new and are subject to probe response suppression.

value

Value for a dual band. The range is from 10 to 300 seconds.

suppression

Configures the expiration time for pruning previously known 802.11b/g clients. After this time elapses, clients become new and are subject to probe response suppression.

value

Value for suppression. The range is from 10 to 200 seconds.

probe-response

Configures the probe response for a RF profile.

enable

Enables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.

disable

Disables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.

profile name

Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

The default value for client RSSI is –80 dBm.

The default cycle count is 2.

The default cycle threshold is 200 milliseconds.

The default value for dual-band expiration is 60 seconds.

The default value for suppression expiration is 20 seconds.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. Band selection can be used only with Cisco Aironet 1040, 1140, and 1250 Series and the 3500 series access points.

Examples

The following example shows how to configure the client RSSI:

(Cisco Controller) >config rf-profile band-select client-rssi -70

config rf-profile client-trap-threshold

To configure the threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller, use the config rf-profile client-trap-threshold command.

config rf-profile client-trap-threshold threshold profile_name

Syntax Description

threshold

Threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller. The range is from 0 to 200. Traps are disabled if the threshold value is configured as zero.

profile_name

Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the threshold value of the number of clients that associate with an access point:

(Cisco Controller) >config rf-profile client-trap-threshold 150

config rf-profile create

To create a RF profile, use the config rf-profile create command.

config rf-profile create { 802.11a | 802.11b/g} profile-name

Syntax Description

802.11a

Configures the RF profile for the 2.4GHz band.

802.11b/g

Configures the RF profile for the 5GHz band.

profile-name

Name of the RF profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create a new RF profile:

(Cisco Controller) >config rf-profile create 802.11a RFtestgroup1

config rf-profile fra client-aware

To configure the RF profile client-aware FRA feature, use the config rf-profile fra client-aware command.

config rf-profile fra client-aware { client-reset percent rf-profile-name | client-select percent rf-profile-name | disable rf-profile-name | enable rf-profile-name}

Syntax Description

client-reset

Configures the RF profile AP utilization threshold for radio to switch back to Monitor mode.

percent

Utilization percentage value ranges from 0 to 100. The default is 5%.

rf-profile-name

Name of the RF Profile.

client-select

Configures the RF profile utilization threshold for radio to switch to 5GHz.

percent

Utilization percentage value ranges from 0 to 100. The default is 50%.

disable

Disables the RF profile client-aware FRA feature.

enable

Enables the RF profile client-aware FRA feature.

Command Default

The default percent value for client-select and client-reset is 50% and 5% respectively.

Command History

Release Modification
8.5 This command was introduced.

Examples

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch back from 5GHz client-serving role to Monitor mode:

(Cisco Controller) >config rf-profile fra client-aware client-reset 15 profile1

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch from Monitor mode to 5GHz client-serving role:

(Cisco Controller) >config rf-profile fra client-aware client-select 20 profile1

The following example shows how to disable the RF profile client-aware FRA feature:

(Cisco Controller) >config rf-profile fra client-aware disable profile1

The following example shows how to enable the RF profile client-aware FRA feature:

(Cisco Controller) >config rf-profile fra client-aware enable profile1

config rf-profile data-rates

To configure the data rate on a RF profile, use the config rf-profile data-rates command.

config rf-profile data-rates { disabled | mandatory | supported} data-rate profile-name

Syntax Description

disabled

Disables a rate.

mandatory

Sets a rate to mandatory.

supported

Sets a rate to supported.

data-rate

802.11 operational rates, which are 1*, 2*, 5.5*, 6, 9, 11*, 12, 18, 24, 36, 48 and 54, where * denotes 802.11b only rates.

profile-name

Name of the RF profile.

Command Default

Default data rates for RF profiles are derived from the controller system defaults, the global data rate configurations. For example, if the RF profile's radio policy is mapped to 802.11a then the global 802.11a data rates are copied into the RF profiles at the time of creation.

The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller. If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the 802.11b transmission of an RF profile at a mandatory rate at 12 Mbps:

(Cisco Controller) >config rf-profile 802.11b data-rates mandatory 12 RFGroup1 

config rf-profile delete

To delete a RF profile, use the config rf-profile delete command.

config rf-profile delete profile-name

Syntax Description

profile-name

Name of the RF profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a RF profile:


(Cisco Controller) >config rf-profile delete RFGroup1 

config rf-profile description

To provide a description to a RF profile, use the config rf-profile description command.

config rf-profile description description profile-name

Syntax Description

description

Description of the RF profile.

profile-name

Name of the RF profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a description to a RF profile:

(Cisco Controller) >config rf-profile description This is a demo desciption RFGroup1 

config rf-profile load-balancing

To configure load balancing on an RF profile, use the config rf-profile load-balancing command.

config rf-profile load-balancing { window clients | denial value} profile_name

Syntax Description

window

Configures the client window for load balancing of an RF profile.

clients

Client window size that limits the number of client associations with an access point. The range is from 0 to 20. The default value is 5.

The window size is part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:

load-balancing window + client associations on AP with lightest load = load-balancing threshold

Access points with more client associations than this threshold are considered busy, and clients can associate only to access points with client counts lower than the threshold. This window also helps to disassociate sticky clients.
denial

Configures the client denial count for load balancing of an RF profile.

value

Maximum number of association denials during load balancing. The range is from 1 to 10. The default value is 3.

When a client tries to associate on a wireless network, it sends an association request to the access point. If the access point is overloaded and load balancing is enabled on the controller, the access point sends a denial to the association request. If there are no other access points in the range of the client, the client tries to associate the same access point again. After the maximum denial count is reached, the client is able to associate. Association attempts on an access point from any client before associating any AP is called a sequence of association. The default is 3.

profile_name

Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the client window size for an RF profile:

(Cisco Controller) >config rf-profile load-balancing window 15

config rf-profile max-clients

To configure the maximum number of client connections per access point of an RF profile, use the config rf-profile max-clients commands.

config rf-profile max-clients clients

Syntax Description

clients

Maximum number of client connections per access point of an RF profile. The range is from 1 to 200.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can use this command to configure the maximum number of clients on access points that are in client dense areas, or serving high bandwidth video or mission critical voice applications.

Examples

The following example shows how to set the maximum number of clients at 50:

(Cisco Controller) >config rf-profile max-clients 50

config rf-profile multicast data-rate

To configure the minimum RF profile multicast data rate, use the config rf-profile multicast data-rate command.

config rf-profile multicast data-rate value profile_name

Syntax Description

value

Minimum RF profile multicast data rate. The options are 6, 9, 12, 18, 24, 36, 48, 54. Enter 0 to specify that access points will dynamically adjust the data rate.

profile_name

Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

The minimum RF profile multicast data rate is 0.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the multicast data rate for an RF profile:

(Cisco Controller) >config rf-profile multicast data-rate 24

config rf-profile out-of-box

To create an out-of-box AP group consisting of newly installed access points, use the config rf-profile out-of-box command.

config rf-profile out-of-box { enable | disable}

Syntax Description

enable
Enables the creation of an out-of-box AP group. When you enable this command, the following occurs:
  • Newly installed access points that are part of the default AP group will be part of the out-of-box AP group and their radios will be switched off, which eliminates any RF instability caused by the new access points.

  • All access points that do not have a group name become part of the out-of-box AP group.

  • Special RF profiles are created per 802.11 band. These RF profiles have default-settings for all the existing RF parameters and additional new configurations.

disable

Disables the out-of-box AP group. When you disable this feature, only the subscription of new APs to the out-of-box AP group stops. All APs that are subscribed to the out-of-box AP group remain in this AP group. You can move APs to the default group or a custom AP group upon network convergence.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When an out-of-box AP associates with the controller for the first time, it will be redirected to a special AP group and the RF profiles applicable to this AP Group will control the radio admin state configuration of the AP. You can move APs to the default group or a custom group upon network convergence.

Examples

The following example shows how to enable the creation of an out-of-box AP group:

(Cisco Controller) >config rf-profile out-of-box enable

config rf-profile tx-power-control-thresh-v1

To configure Transmit Power Control version1 (TPCv1) to an RF profile, use the config rf-profile tx-power-control-thresh-v1 command.

config rf-profile tx-power-control-thresh-v1 tpc-threshold profile_name

Syntax Description

tpc-threshold

TPC threshold.

profile-name

Name of the RF profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure TPCv1 on an RF profile:

(Cisco Controller) >config rf-profile tx-power-control-thresh-v1 RFGroup1 

config rf-profile tx-power-control-thresh-v2

To configure Transmit Power Control version 2 (TPCv2) to an RF profile, use the config rf-profile tx-power-control-thresh-v2 command.

config rf-profile tx-power-control-thresh-v2 tpc-threshold profile-name

Syntax Description

tpc-threshold

TPC threshold.

profile-name

Name of the RF profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure TPCv2 on an RF profile:

(Cisco Controller) >config rf-profile tx-power-control-thresh-v2 RFGroup1 

config rf-profile tx-power-max

To configure maximum auto-rf to an RF profile, use the config rf-profile tx-power-max command.

config rf-profile tx-power-max profile-name

Syntax Description

tx-power-max

Maximum auto-rf tx power.

profile-name

Name of the RF profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure tx-power-max on an RF profile:

(Cisco Controller) >config rf-profile tx-power-max RFGroup1 

config rf-profile tx-power-min

To configure minimum auto-rf to an RF profile, use the config rf-profile tx-power-min command.

config rf-profile tx-power-min tx-power-min profile-name

Syntax Description

tx-power-min

Minimum auto-rf tx power.

profile-name

Name of the RF profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure tx-power-min on an RF profile:


(Cisco Controller) >config rf-profile tx-power-min RFGroup1 

config watchlist add

To add a watchlist entry for a wireless LAN, use the config watchlist add command.

config watchlist add { mac MAC | username username}

Syntax Description

mac MAC

Specifies the MAC address of the wireless LAN.

username username

Specifies the name of the user to watch.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


(Cisco Controller) >config watchlist add mac a5:6b:ac:10:01:6b

config watchlist delete

To delete a watchlist entry for a wireless LAN, use the config watchlist delete command.

config watchlist delete { mac MAC | username username}

Syntax Description

mac MAC

Specifies the MAC address of the wireless LAN to delete from the list.

username username

Specifies the name of the user to delete from the list.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


(Cisco Controller) >config watchlist delete mac a5:6b:ac:10:01:6b

config watchlist disable

To disable the client watchlist, use the config watchlist disable command.

config watchlist disable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the client watchlist:


(Cisco Controller) >config watchlist disable

config watchlist enable

To enable a watchlist entry for a wireless LAN, use the config watchlist enable command.

config watchlist enable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a watchlist entry:


(Cisco Controller) >config watchlist enable

config wlan

To create, delete, enable, or disable a wireless LAN, use the config wlan command.

config wlan { enable | disable | create | delete} wlan_id [ name | foreignAp name ssid | all]

Syntax Description

enable

Enables a wireless LAN.

disable

Disables a wireless LAN.

create

Creates a wireless LAN.

delete

Deletes a wireless LAN.

wlan_id

Wireless LAN identifier between 1 and 512.

name

(Optional) WLAN profile name up to 32 alphanumeric characters.

foreignAp

(Optional) Specifies the third-party access point settings.

ssid

SSID (network name) up to 32 alphanumeric characters.

all

(Optional) Specifies all wireless LANs.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.

If you do not specify an SSID, the profile name parameter is used for both the profile name and the SSID.

If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.

An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access point’s radio.

Examples

The following example shows how to enable wireless LAN identifier 16:

(Cisco Controller) >config wlan enable 16

config wlan 7920-support

To configure support for phones, use the config wlan 7920-support command.

config wlan 7920-support { client-cac-limit | ap-cac-limit} { enable | disable} wlan_id

Syntax Description

ap-cac-limit

Supports phones that require client-controlled Call Admission Control (CAC) that expect the Cisco vendor-specific information element (IE).

client-cac-limit

Supports phones that require access point-controlled CAC that expect the IEEE 802.11e Draft 6 QBSS-load.

enable

Enables phone support.

disable

Disables phone support.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.

Examples

The following example shows how to enable the phone support that requires client-controlled CAC with wireless LAN ID 8:

(Cisco Controller) >config wlan 7920-support ap-cac-limit enable 8

config wlan 802.11e

To configure 802.11e support on a wireless LAN, use the config wlan 802.11e command.

config wlan 802.11e { allow | disable | require} wlan_id

Syntax Description

allow

Allows 802.11e-enabled clients on the wireless LAN.

disable

Disables 802.11e on the wireless LAN.

require

Requires 802.11e-enabled clients on the wireless LAN.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

802.11e provides quality of service (QoS) support for LAN applications, which are critical for delay sensitive applications such as Voice over Wireless IP (VoWIP).

802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability and is especially well suited for use in networks that include a multimedia capability.

Examples

The following example shows how to allow 802.11e on the wireless LAN with LAN ID 1:

(Cisco Controller) >config wlan 802.11e allow 1

config wlan aaa-override

To configure a user policy override via AAA on a wireless LAN, use the config wlan aaa-override command.

config wlan aaa-override { enable | disable} { wlan_id | foreignAp}

Syntax Description

enable

Enables a policy override.

disable

Disables a policy override.

wlan_id

Wireless LAN identifier between 1 and 512.

foreignAp

Specifies third-party access points.

Command Default

AAA is disabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When AAA override is enabled and a client has conflicting AAA and Cisco wireless LAN controller wireless LAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system will move clients from the default Cisco wireless LAN VLAN to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system will also use QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as Identity Networking.)

If the corporate wireless LAN uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is performed by the AAA server if the controller wireless LAN does not contain any client-specific authentication parameters.

The AAA override values might come from a RADIUS server.

Examples

The following example shows how to configure user policy override via AAA on WLAN ID 1:


(Cisco Controller) >config wlan aaa-override enable 1

config wlan acl

To configure a wireless LAN access control list (ACL), use the config wlan acl command.

config wlan acl [ acl_name | none]

Syntax Description

wlan_id

Wireless LAN identifier (1 to 512).

acl_name

(Optional) ACL name.

none

(Optional) Clears the ACL settings for the specified wireless LAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a WLAN access control list with WLAN ID 1 and ACL named office_1:

(Cisco Controller) >config wlan acl 1 office_1

config wlan assisted-roaming

To configure assisted roaming on a WLAN, use the config wlan assisted-roaming command.

config wlan assisted-roaming { neighbor-list | dual-list | prediction} { enable | disable} wlan_id

Syntax Description

neighbor-list

Configures an 802.11k neighbor list for a WLAN.

dual-list

Configures a dual band 802.11k neighbor list for a WLAN. The default is the band that the client is currently associated with.

prediction

Configures an assisted roaming optimization prediction for a WLAN.

enable

Enables the configuration on the WLAN.

disable

Disables the configuration on the WLAN.

wlan_id

Wireless LAN identifier between 1 and 512 (inclusive).

Command Default

The 802.11k neighbor list is enabled for all WLANs.

By default, dual band list is enabled if the neighbor list feature is enabled for the WLAN.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable the assisted roaming prediction list, a warning appears and load balancing is disabled for the WLAN, if load balancing is already enabled on the WLAN.

Examples

The following example shows how to enable an 802.11k neighbor list for a WLAN:

(Cisco Controller) >config wlan assisted-roaming neighbor-list enable 1

config wlan avc

To configure Application Visibility and Control (AVC) on a WLAN, use the config wlan avc command.

config wlan avc wlan_id { profile profile_name | visibility} { enable | disable}

Syntax Description

wlan_id

Wireless LAN identifier from 1 to 512.

profile

Associates or removes an AVC profile from a WLAN.

profile_name

Name of the AVC profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

visibility

Configures application visibility on a WLAN.

enable

Enables application visibility on a WLAN. You can view the classification of applications based on the Network Based Application Recognition (NBAR) deep packet inspection technology.

Use the show avc statistics client command to view the client AVC statistics.

disable

Disables application visibility on a WLAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or Drop action for an application, which allows you to configure up to 32 application actions per WLAN. You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs.

Examples

The following example shows how to associate an AVC profile with a WLAN:

(Cisco Controller) >config wlan avc 5 profile profile1 enable

config wlan apgroup

To manage access point group VLAN features, use the config wlan apgroup command.

config wlan apgroup { add apgroup_name [ description] | 
 delete apgroup_name | 
 description apgroup_name description | 
 interface-mapping { add | delete} apgroup_name wlan_id interface_name |
 nac-snmp { enable | disable} apgroup_name wlan_id
| nasid NAS-ID apgroup_name | profile-mapping { add | delete} apgroup_name
profile_name | wlan-radio-policy apgroup_name
wlan-id { 802.11a-only | 802.11bg | 802.11g-only | all} | venue { add | delete} apgroup_name
}}

Syntax Description

add

Creates a new access point group (AP group).

apgroup_name

Access point group name.

wlan_id

Wireless LAN identifier from 1 to 512.

delete

Removes a wireless LAN from an AP group.

description

Describes an AP group.

description

Description of the AP group.

interface-mapping

(Optional) Assigns or removes a Wireless LAN from an AP group.

interface_name

(Optional) Interface to which you want to map an AP group.

nac-snmp

Configures NAC SNMP functionality on given AP group. Enables or disables Network Admission Control (NAC) out-of-band support on an access point group.

enable

Enables NAC out-of-band support on an AP group.

disable

Disables NAC out-of-band support on an AP group.

NAS-ID

Network Access Server identifier (NAS-ID) for the AP group. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters. Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP group NAS-ID > WLAN NAS-ID > Interface NAS-ID.

none

Configures the controller system name as the NAS-ID.

profile-mapping

Configures RF profile mapping on an AP group.

profile_name

RF profile name for a specified AP group.

wlan-radio-policy

Configures WLAN radio policy on an AP group.

802.11a-only

Configures WLAN radio policy on an AP group.

802.11bg

Configures WLAN radio policy on an AP group.

802.11g-only

Configures WLAN radio policy on an AP group.

all

Configures WLAN radio policy on an AP group.

venue

Configures venue information for an AP group.

type_code

Venue type information for an AP group.

For venue group 1 (ASSEMBLY), the following options are available:
  • 0 : UNSPECIFIED ASSEMBLY

  • 1 : ARENA

  • 2 : STADIUM

  • 3 : PASSENGER TERMINAL

  • 4 : AMPHITHEATER

  • 5 : AMUSEMENT PARK

  • 6 : PLACE OF WORSHIP

  • 7 : CONVENTION CENTER

  • 8 : LIBRARY

  • 9 : MUSEUM

  • 10 : RESTAURANT

  • 11 : THEATER

  • 12 : BAR

  • 13 : COFFEE SHOP

  • 14 : ZOO OR AQUARIUM

  • 15 : EMERGENCY COORDINATION CENTER

For venue group 2 (BUSINESS), the following options are available:
  • 0 : UNSPECIFIED BUSINESS

  • 1 : DOCTOR OR DENTIST OFFICE

  • 2 : BANK

  • 3 : FIRE STATION

  • 4 : POLICE STATION

  • 6 : POST OFFICE

  • 7 : PROFESSIONAL OFFICE

  • 8 : RESEARCH AND DEVELOPMENT FACILITY

  • 9 : ATTORNEY OFFICE

For venue group 3 (EDUCATIONAL), the following options are available:
  • 0 : UNSPECIFIED EDUCATIONAL

  • 1 : PRIMARY SCHOOL

  • 2 : SECONDARY SCHOOL

  • 3 : UNIVERSITY OR COLLEGE

For venue group 4 (FACTORY-INDUSTRIAL), the following options are available:
  • 0 : UNSPECIFIED FACTORY AND INDUSTRIAL

  • 1 : FACTORY

For venue group 5 (INSTITUTIONAL), the following options are available:
  • 0 : UNSPECIFIED INSTITUTIONAL

  • 1 : HOSPITAL

  • 2 : LONG-TERM CARE FACILITY

  • 3 : ALCOHOL AND DRUG RE-HABILITATION CENTER

  • 4 :GROUP HOME

  • 5 :PRISON OR JAIL

For venue group 6 (MERCANTILE), the following options are available:
  • 0 : UNSPECIFIED MERCANTILE

  • 1 : RETAIL STORE

  • 2 : GROCERY MARKET

  • 3 : AUTOMOTIVE SERVICE STATION

  • 4 : SHOPPING MALL

  • 5 : GAS STATION

For venue group 7 (RESIDENTIAL), the following options are available:
  • 0 : UNSPECIFIED RESIDENTIAL

  • 1 : PRIVATE RESIDENCE

  • 2 : HOTEL OR MOTEL

  • 3 : DORMITORY

  • 4 : BOARDING HOUSE

name

Configures the name of venue for an AP group.

language_code

An ISO-639 encoded string defining the language used at the venue. This string is a three character language code. For example, you can enter ENG for English.

venue_name

Venue name for this AP group. This name is associated with the basic service set (BSS) and is used in cases where the SSID does not provide enough information about the venue. The venue name is case-sensitive and can be up to 252 alphanumeric characters.

add

Adds an operating class for an AP group.

delete

Deletes an operating class for an AP group.

operating_class_value

Operating class for an AP group. The available operating classes are 81, 83, 84, 112, 113, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127.

Command Default

AP Group VLAN is disabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

An error message appears if you try to delete an access point group that is used by at least one access point. Before you can delete an AP group in controller software release 6.0, move all APs in this group to another group. The access points are not moved to the default-group access point group as in previous releases. To see the APs, enter the show wlan apgroups command. To move APs, enter the config ap group-name groupname cisco_ap command.

The NAS-ID configured on the controller for AP group or WLAN or interface is used for authentication. The NAS-ID is not propagated across controllers.

Examples

The following example shows how to enable the NAC out-of band support on access point group 4:

(Cisco Controller) >config wlan apgroup nac enable apgroup 4

config wlan band-select allow

To configure band selection on a WLAN, use the config wlan band-select allow command.

config wlan band-select allow { enable | disable} wlan_id

Syntax Description

enable

Enables band selection on a WLAN.

disable

Disables band selection on a WLAN.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. Band selection can be used only with Cisco Aironet 1040, 1140, and 1250 Series and the 3500 series access points.

Examples

The following example shows how to enable band selection on a WLAN:

(Cisco Controller) >config wlan band-select allow enable 6

config wlan broadcast-ssid

To configure an Service Set Identifier (SSID) broadcast on a wireless LAN, use the config wlan broadcast-ssid command.

config wlan broadcast-ssid { enable | disable} wlan_id

Syntax Description

enable

Enables SSID broadcasts on a wireless LAN.

disable

Disables SSID broadcasts on a wireless LAN.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

Broadcasting of SSID is disabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an SSID broadcast on wireless LAN ID 1:

(Cisco Controller) >config wlan broadcast-ssid enable 1

config wlan call-snoop

To enable or disable Voice-over-IP (VoIP) snooping for a particular WLAN, use the config wlan call-snoop command.

config wlan call-snoop { enable | disable} wlan_id

Syntax Description

enable

Enables VoIP snooping on a wireless LAN.

disable

Disables VoIP snooping on a wireless LAN.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

WLAN should be with Platinum QoS and it needs to be disabled while invoking this CLI

Examples

The following example shows how to enable VoIP snooping for WLAN 3:

(Cisco Controller) >config wlan call-snoop 3 enable

config wlan chd

To enable or disable Coverage Hole Detection (CHD) for a wireless LAN, use the config wlan chd command.

config wlan chd wlan_id { enable | disable}

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

enable

Enables SSID broadcasts on a wireless LAN.

disable

Disables SSID broadcasts on a wireless LAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable CHD for WLAN 3:


(Cisco Controller) >config wlan chd 3 enable

config wlan ccx aironet-ie

To enable or disable Aironet information elements (IEs) for a WLAN, use the config wlan ccx aironet-ie command.

config wlan ccx aironet-ie { enable | disable}

Syntax Description

enable

Enables the Aironet information elements.

disable

Disables the Aironet information elements.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable Aironet information elements for a WLAN:

(Cisco Controller) >config wlan ccx aironet-ie enable

config wlan channel-scan defer-priority

To configure the controller to defer priority markings for packets that can defer off channel scanning, use the config wlan channel-scan defer-priority command.

config wlan channel-scan defer-priority priority [ enable | disable] wlan_id

Syntax Description

priority

User priority value (0 to 7).

enable

(Optional) Enables packet at given priority to defer off channel scanning.

disable

(Optional) Disables packet at gven priority to defer off channel scanning.

wlan_id

Wireless LAN identifier (1 to 512).

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The priority value should be set to 6 on the client and on the WLAN.

Examples

The following example shows how to enable the controller to defer priority markings that can defer off channel scanning with user priority value 6 and WLAN id 30:

(Cisco Controller) >config wlan channel-scan defer-priority 6 enable 30

config wlan channel-scan defer-time

To assign the channel scan defer time in milliseconds, use the config wlan channel-scan defer-time command.

config wlan channel-scan defer-time msecs wlan_id

Syntax Description

msecs

Deferral time in milliseconds (0 to 60000 milliseconds).

wlan_id

Wireless LAN identifier from 1 to 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The time value in milliseconds should match the requirements of the equipment on your WLAN.

Examples

The following example shows how to assign the scan defer time to 40 milliseconds for WLAN with ID 50:


(Cisco Controller) >config wlan channel-scan defer-time 40 50

config wlan custom-web

To configure the web authentication page for a WLAN, use the config wlan custom-web command.

config wlan custom-web{ { ext-webauth-url ext-webauth-url wlan_id } | { global { enable | disable}} | { login-page page-name } | { loginfailure-page { page-name | none}} | { logout-page { page-name | none}} | { { webauth-type { internal | customized | external} wlan_id}}

Syntax Description

ext-webauth-url

Configures an external web authentication URL.

ext-webauth-url

External web authentication URL.

wlan_id

WLAN identifier. Default range is from 1 to 512.

global

Configures the global status for a WLAN.

enable

Enables the global status for a WLAN.

disable

Disables the global status for a WLAN.

login-page

Configures the name of the login page for an external web authentication URL.

page-name

Login page name for an external web authentication URL.

loginfailure-page

Configures the name of the login failure page for an external web authentication URL.

none

Does not configure a login failure page for an external web authentication URL.

logout-page

Configures the name of the logout page for an external web authentication URL.

webauth-type

Configures the type of web authentication for the WLAN.

internal

Displays the default login page.

customized

Displays a customized login page.

external

Displays a login page on an external web server.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

The following example shows how to configure web authentication type in the WLAN.

Examples

Cisco Controller config wlan custom-web webauth-type external

config wlan dhcp_server

To configure the internal DHCP server for a wireless LAN, use the config wlan dhcp_server command.

config wlan dhcp_server { wlan_id | foreignAp} ip_address [ required]

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

foreignAp

Specifies third-party access points.

ip_address

IP address of the internal DHCP server (this parameter is required).

required

(Optional) Specifies whether DHCP address assignment is required.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The preferred method for configuring DHCP is to use the primary DHCP address assigned to a particular interface instead of the DHCP server override. If you enable the override, you can use the show wlan command to verify that the DHCP server has been assigned to the WLAN.

Examples

The following example shows how to configure an IP address 10.10.2.1 of the internal DHCP server for wireless LAN ID 16:


(Cisco Controller) >config wlan dhcp_server 16 10.10.2.1

config wlan diag-channel

To enable the diagnostic channel troubleshooting on a particular WLAN, use the config wlan diag-channel command.

config wlan diag-channel [ enable | disable] wlan_id

Syntax Description

enable

(Optional) Enables the wireless LAN diagnostic channel.

disable

(Optional) Disables the wireless LAN diagnostic channel.

wlan_id

Wireless LAN identifier (1 to 512).

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the wireless LAN diagnostic channel for WLAN ID 1:


(Cisco Controller) >config wlan diag-channel enable 1

config wlan dtim

To configure a Delivery Traffic Indicator Message (DTIM) for 802.11 radio network config wlan dtim command.

config wlan dtim { 802.11a | 802.11b} dtim wlan_id

Syntax Description

802.11a

Configures DTIM for the 802.11a radio network.

802.11b

Configures DTIM for the 802.11b radio network.

dtim

Value for DTIM (between 1 to 255 inclusive).

wlan_id

Number of the WLAN to be configured.

Command Default

The default is DTIM 1.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure DTIM for 802.11a radio network with DTIM value 128 and WLAN ID 1:


(Cisco Controller) >config wlan dtim 802.11a 128 1

config wlan exclusionlist

To configure the wireless LAN exclusion list, use the config wlan exclusionlist command.

config wlan exclusionlist { wlan_id [ enabled | disabled | time] |
 foreignAp [ enabled | disabled | time]}

Syntax Description

wlan_id

Wireless LAN identifier (1 to 512).

enabled

(Optional) Enables the exclusion list for the specified wireless LAN or foreign access point.

disabled

(Optional) Disables the exclusion list for the specified wireless LAN or a foreign access point.

time

(Optional) Exclusion list timeout in seconds. A value of zero (0) specifies infinite time.

foreignAp

Specifies a third-party access point.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command replaces the config wlan blacklist command.

Examples

The following example shows how to enable the exclusion list for WLAN ID 1:


(Cisco Controller) >config wlan exclusionlist 1 enabled

config wlan flow

To associate a NetFlow monitor with a WLAN, use the config wlan flow command.

config wlan flow wlan_id monitor monitor_name { enable | disable}

Syntax Description

wlan_id

Wireless LAN identifier from 1 to 512 (inclusive).

monitor

Configures a NetFlow monitor.

monitor_name

Name of the NetFlow monitor. The monitor name can be up to 32 case-sensitive, alphanumeric characters. You cannot include spaces for a monitor name.

enable

Associates a NetFlow monitor with a WLAN.

disable

Dissociates a NetFlow monitor from a WLAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can use the config flow command to create a new NetFlow monitor.

Examples

The following example shows how to associate a NetFlow monitor with a WLAN:

(Cisco Controller) >config wlan flow 5 monitor monitor1 enable

config wlan flexconnect ap-auth

To configure local authentication of clients associated with FlexConnect on a locally switched WLAN, use the config wlan flexconnect ap-auth command.

config wlan flexconnect ap-auth wlan_id { enable | disable}

Syntax Description

ap-auth

Configures local authentication of clients associated with an FlexConnect on a locally switched WLAN.

wlan_id

Wireless LAN identifier between 1 and 512.

enable

Enables AP authentication on a WLAN.

disable

Disables AP authentication on a WLAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Local switching must be enabled on the WLAN where you want to configure local authentication of clients associated with FlexConnect.

Examples

The following example shows how to enable authentication of clients associated with FlexConnect on a specified WLAN:


(Cisco Controller) >config wlan flexconnect ap-auth 6 enable

config wlan flexconnect learn-ipaddr

To enable or disable client IP address learning for the Cisco WLAN controller, use the config wlan flexconnect learn-ipaddr command.

config wlan flexconnect learn-ipaddr wlan_id { enable | disable}

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

enable

Enables client IPv4 address learning on a wireless LAN.

disable

Disables client IPv4 address learning on a wireless LAN.

Command Default

Disabled when the config wlan flexconnect local-switching command is disabled. 
Enabled when the config wlan flexconnect local-switching command is enabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

8.0

This command supports only IPv4 address format.

Usage Guidelines

If the client is configured with Layer 2 encryption, the controller cannot learn the client IP address, and the controller will periodically drop the client. Disable this option to keep the client connection without waiting to learn the client IP address.


Note

This command is valid only for IPv4.

Note

The ability to disable IP address learning is not supported with FlexConnect central switching.

Examples

The following example shows how to disable client IP address learning for WLAN 6:


(Cisco Controller) >config wlan flexconnect learn-ipaddr disable 6

config wlan flexconnect local-switching

To configure local switching, central DHCP, NAT-PAT, or the override DNS option on a FlexConnect WLAN, use the config wlan flexconnect local switching command.

config wlan flexconnect local-switching wlan_id { enable | disable} { { central-dhcp { enable | disable} nat-pat { enable | disable} } | { override option dns { enable | disable} } }

Syntax Description

wlan_id

Wireless LAN identifier from 1 to 512.

enable

Enables local switching on a FlexConnect WLAN.

disable

Disables local switching on a FlexConnect WLAN.

central-dhcp

Configures central switching of DHCP packets on the local switching FlexConnect WLAN. When you enable this feature, the DHCP packets received from the AP are centrally switched to the controller and forwarded to the corresponding VLAN based on the AP and the SSID.

enable

Enables central DHCP on a FlexConnect WLAN.

disable

Disables central DHCP on a FlexConnect WLAN.

nat-pat

Configures Network Address Translation (NAT) and Port Address Translation (PAT) on the local switching FlexConnect WLAN.

enable

Enables NAT-PAT on the FlexConnect WLAN.

disable

Disables NAT-PAT on the FlexConnect WLAN.

override

Specifies the DHCP override options on the FlexConnect WLAN.

option dns

Specifies the override DNS option on the FlexConnect WLAN. When you override this option, the clients get their DNS server IP address from the AP, not from the controller.

enable

Enables the override DNS option on the FlexConnect WLAN.

disable

Disables the override DNS option on the FlexConnect WLAN.

Command Default

This feature is disabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.
8.0 This command supports only IPv4 address format.

Usage Guidelines

When you enable the config wlan flexconnect local-switching command, the config wlan flexconnect learn-ipaddr command is enabled by default.


Note

This command is valid only for IPv4.



Note

The ability to disable IP address learning is not supported with FlexConnect central switching.


Examples

The following example shows how to enable WLAN 6 for local switching and enable central DHCP and NAT-PAT:


(Cisco Controller) >config wlan flexconnect local-switching 6 enable central-dhcp enable nat-pat enable

The following example shows how to enable the override DNS option on WLAN 6:


(Cisco Controller) >config wlan flexconnect local-switching 6 override option dns enable

config wlan flexconnect vlan-central-switching

To configure central switching on a locally switched WLAN, use the config wlan flexconnect vlan-central-switching command.

config wlan flexconnect vlan-central-switching wlan_id { enable | disable }

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

enable

Enables central switching on a locally switched wireless LAN.

disable

Disables central switching on a locally switched wireless LAN.

Command Default

Central switching is disabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must enable Flexconnect local switching to enable VLAN central switching. When you enable WLAN central switching, the access point bridges the traffic locally if the WLAN is configured on the local IEEE 802.1Q link. If the VLAN is not configured on the access point, the AP tunnels the traffic back to the controller and the controller bridges the traffic to the corresponding VLAN.

WLAN central switching does not support:

  • FlexConnect local authentication.

  • Layer 3 roaming of local switching client.

Examples

The following example shows how to enable WLAN 6 for central switching:

(Cisco Controller) >config wlan flexconnect vlan-central-switching 6 enable

config wlan interface

To configure a wireless LAN interface or an interface group, use the config wlan interface command.

config wlan interface { wlan_id | foreignAp} { interface-name | interface-group-name}

Syntax Description

wlan_id

(Optional) Wireless LAN identifier (1 to 512).

foreignAp

Specifies third-party access points.

interface-name

Interface name.

interface-group-name

Interface group name.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an interface named VLAN901:


(Cisco Controller) >config wlan interface 16 VLAN901

config wlan ipv6 acl

To configure IPv6 access control list (ACL) on a wireless LAN, use the config wlan ipv6 acl command.

config wlan ipv6 acl wlan_id acl_name

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

acl_name

IPv6 ACL name.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an IPv6 ACL for local switching:


(Cisco Controller) >config wlan ipv6 acl 22 acl_sample

config wlan kts-cac

To configure the Key Telephone System-based CAC policy for a WLAN, use the config wlan kts-cac command.

config wlan kts-cac { enable | disable} wlan_id

Syntax Description

enable

Enables the KTS-based CAC policy.

disable

Disables the KTS-based CAC policy.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

To enable the KTS-based CAC policy for a WLAN, ensure that you do the following:

  • Configure the QoS profile for the WLAN to Platinum by entering the following command:

    config wlan qos wlan-id platinum

  • Disable the WLAN by entering the following command:

    config wlan disable wlan-id

  • Disable FlexConnect local switching for the WLAN by entering the following command:

    config wlan flexconnect local-switching wlan-id disable

Examples

The following example shows how to enable the KTS-based CAC policy for a WLAN with the ID 4:


(Cisco Controller) >config wlan kts-cac enable 4

config wlan learn-ipaddr-cswlan

To configure client IP address learning on a centrally switched WLAN, use theconfig wlan learn-ipaddr-cswlan command.

config wlan learn-ipaddr-cswlan wlan_id { enable | disable}

Syntax Description

wlan_id

Wireless LAN identifier from 1 to 512.

enable

Enables client IPv4 address learning on the centrally switched WLAN

disable

Disables client IPv4 address learning on the centrally switched WLAN

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

8.0

This command supports only IPv4 address format.

Usage Guidelines

If the client is configured with Layer 2 encryption, the Cisco WLC cannot learn the client IP address and will periodically drop the client. Disable this option so that the Cisco WLC maintains the client connection without waiting to learn the client IP address.

Examples

The following example shows how to enable client IP address learning on a centrally switched WLAN:

(Cisco Controller) >config wlan learn-ipaddr-cswlan 2 enable

config wlan ldap

To add or delete a link to a configured Lightweight Directory Access Protocol (LDAP) server, use the config wlan ldap command.

config wlan ldap { add wlan_id server_id | delete wlan_id { all | server_id}}

Syntax Description

add

Adds a link to a configured LDAP server.

wlan_id

Wireless LAN identifier between 1 and 512.

server_id

LDAP server index.

delete

Removes the link to a configured LDAP server.

all

Specifies all LDAP servers.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use this command to specify the LDAP server priority for the WLAN.

To specify the LDAP server priority, one of the following must be configured and enabled:

  • 802.1X authentication and Local EAP

  • Web authentication and LDAP


    Note

    Local EAP was introduced in controller software release 4.1; LDAP support on Web authentication was introduced in controller software release 4.2.


Examples

The following example shows how to add a link to a configured LDAP server with the WLAN ID 100 and server ID 4:


(Cisco Controller) >config wlan ldap add 100 4 

config wlan load-balance

To override the global load balance configuration and enable or disable load balancing on a particular WLAN, use the config wlan load-balance command.

config wlan load-balance allow { enable | disable} wlan_id

Syntax Description

enable

Enables band selection on a wireless LAN.

disable

Disables band selection on a wireless LAN.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

Load balancing is enabled by default.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable band selection on a wireless LAN with WLAN ID 3:


(Cisco Controller) >config wlan load-balance allow enable 3

config wlan mac-filtering

To change the state of MAC filtering on a wireless LAN, use the config wlan mac-filtering command.

config wlan mac-filtering { enable | disable} { wlan_id | foreignAp}

Syntax Description

enable

Enables MAC filtering on a wireless LAN.

disable

Disables MAC filtering on a wireless LAN.

wlan_id

Wireless LAN identifier from 1 to 512.

foreignAp

Specifies third-party access points.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the MAC filtering on WLAN ID 1:


(Cisco Controller) >config wlan mac-filtering enable 1

config wlan max-associated-clients

To configure the maximum number of client connections on a wireless LAN, guest LAN, or remote LAN, use the config wlan max-associated-clients command.

config wlan max-associated-clients max_clients wlan_id

Syntax Description

max_clients

Maximum number of client connections to be accepted.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the maximum number of client connections on WLAN ID 2:


(Cisco Controller) >config wlan max-associated-clients 25 2

config wlan max-radio-clients

To configure the maximum number of WLAN client per access point, use the config wlan max-radio-clients command.

config wlan max-radio-clients max_radio_clients wlan_id

Syntax Description

max_radio_clients

Maximum number of client connections to be accepted per access point radio. The valid range is from 1 to 200.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the maximum number of client connections per access point radio on WLAN ID 2:


(Cisco Controller) >config wlan max-radio-clients 25 2

config wlan mdns

To configure an multicast DNS (mDNS) profile for a WLAN, use the config wlan mdns command.

config wlan mdns { enable | disable | profile { profile-name | none}} { wlan_id | all}

Syntax Description

enable

Enables mDNS snooping on a WLAN.

disable

Disables mDNS snooping on a WLAN.

profile

Configures an mDNS profile for a WLAN.

profile-name

Name of the mDNS profile to be associated with a WLAN.

none

Removes all existing mDNS profiles from the WLAN. You cannot configure mDNS profiles on the WLAN.

wlan_id

Wireless LAN identifier from 1 to 512.

all

Configures the mDNS profile for all WLANs.

Command Default

By default, mDNS snooping is enabled on WLANs.

Command History

Release Modification

7.4

This command was introduced.

Usage Guidelines

You must disable the WLAN before you use this command. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority.

Examples

The following example shows how to configure an mDNS profile for a WLAN.

(Cisco Controller) >config wlan mdns profile profile1 1 

config wlan media-stream

To configure multicast-direct for a wireless LAN media stream, use the config wlan media-stream command.

config wlan media-stream multicast-direct { wlan_id | all} { enable | disable}

Syntax Description

multicast-direct

Configures multicast-direct for a wireless LAN media stream.

wlan_id

Wireless LAN identifier between 1 and 512.

all

Configures the wireless LAN on all media streams.

enable

Enables global multicast to unicast conversion.

disable

Disables global multicast to unicast conversion.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Media stream multicast-direct requires load based Call Admission Control (CAC) to run. WLAN quality of service (QoS) needs to be set to either gold or platinum.

Examples

The following example shows how to enable the global multicast-direct media stream with WLAN ID 2:


(Cisco Controller) >config wlan media-stream multicast-direct 2 enable

config wlan mfp

To configure management frame protection (MFP) options for the wireless LAN, use the config wlan mfp command.

config wlan mfp { client [ enable | disable] wlan_id | infrastructure protection [ enable | disable] wlan_id}

Syntax Description

client

Configures client MFP for the wireless LAN.

enable

(Optional) Enables the feature.

disable

(Optional) Disables the feature.

wlan_id

Wireless LAN identifier (1 to 512).

infrastructure protection

(Optional) Configures the infrastructure MFP for the wireless LAN.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure client management frame protection for WLAN ID 1:


(Cisco Controller) >config wlan mfp client enable 1

config wlan mobility foreign-map

To configure interfaces or interface groups for foreign Cisco WLCs, use the config wlan mobility foreign-map command.

config wlan mobility foreign-map { add | delete} wlan_id foreign_mac_address { interface_name | interface_group_name}

Syntax Description

add

Adds an interface or interface group to the map of foreign controllers.

delete

Deletes an interface or interface group from the map of foreign controllers.

wlan_id

Wireless LAN identifier from 1 to 512.

foreign_mac_address

Foreign switch MAC address on a WLAN.

interface_name

Interface name up to 32 alphanumeric characters.

interface_group_name

Interface group name up to 32 alphanumeric characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add an interface group for foreign Cisco WLCs with WLAN ID 4 and a foreign switch MAC address on WLAN 00:21:1b:ea:36:60:


(Cisco Controller) >config wlan mobility foreign-map add 4 00:21:1b:ea:36:60 mygroup1

config wlan multicast buffer

To configure the radio multicast packet buffer size, use the config wlan multicast buffer command.

config wlan multicast buffer { enable | disable} buffer-size

Syntax Description

enable

Enables the multicast interface feature for a wireless LAN.

disable

Disables the multicast interface feature on a wireless LAN.

buffer-size

Radio multicast packet buffer size. The range is from 30 to 60. Enter 0 to indicate APs will dynamically adjust the number of buffers allocated for multicast.

wlan_id

Wireless LAN identifier between 1 and 512.

Command Default

The default buffer size is 30

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure radio multicast buffer settings:


(Cisco Controller) >config wlan multicast buffer enable 45 222

config wlan multicast interface

To configure a multicast interface for a wireless LAN, use the config wlan multicast interface command.

config wlan multicast interface wlan_id { enable | disable} interface_name

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

enable

Enables multicast interface feature for a wireless LAN.

delete

Disables multicast interface feature on a wireless LAN.

interface_name

Interface name.

Note 

The interface name can only be specified in lower case characters.

Command Default

Multicast is disabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the multicast interface feature for a wireless LAN with WLAN ID 4 and interface name myinterface1:


(Cisco Controller) >config wlan multicast interface 4 enable myinterface1

config wlan nac

To enable or disable Network Admission Control (NAC) out-of-band support for a WLAN, use the config wlan nac command.

config wlan nac { snmp | radius} { enable | disable} wlan_id

Syntax Description

snmp

Configures SNMP NAC support.

radius

Configures RADIUS NAC support.

enable

Enables NAC for the WLAN.

disable

Disables NAC for the WLAN.

wlan_id

WLAN identifier from 1 to 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You should enable AAA override before you enable the RADIUS NAC state. You also should disable FlexConnect local switching before you enable the RADIUS NAC state.

Examples

The following example shows how to configure SNMP NAC support for WLAN 13:

(Cisco Controller) >config wlan nac snmp enable 13

The following example shows how to configure RADIUS NAC support for WLAN 34:


(Cisco Controller) >config wlan nac radius enable 20

config wlan override-rate-limit

To override the bandwidth limits for upstream and downstream traffic per user and per service set identifier (SSID) defined in the QoS profile, use the config wlan override-rate-limit command.

config wlan override-rate-limit wlan_id { average-data-rate | average-realtime-rate | burst-data-rate | burst-realtime-rate } { per-ssid | per-client } { downstream | upstream } rate

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

average-data-rate

Specifies the average data rate for TCP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.

average-realtime-rate

Specifies the average real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.

burst-data-rate

Specifies the peak data rate for TCP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.

burst-realtime-rate

Specifies the peak real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.

per-ssid

Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.

per-client

Configures the rate limit for each client associated with the SSID.

downstream

Configures the rate limit for downstream traffic.

upstream

Configures the rate limit for upstream traffic.

rate

Data rate for TCP or UDP traffic per user or per SSID. The range is form 0 to 51,2000 Kbps. A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The rate limits are enforced by the controller and the AP. For central switching, the controller handles the downstream enforcement of per-client rate limit and the AP handles the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic. When the AP enters standalone mode it handles the downstream enforcement of per-client rate limits too.

In FlexConnect local switching and standalone modes, per-client and per-SSID rate limiting is done by the AP for downstream and upstream traffic. However, in FlexConnect standalone mode, the configuration is not saved on the AP, so when the AP reloads, the configuration is lost and rate limiting does not happen after reboot.

For roaming clients, if the client roams between the APs on the same controller, same rate limit parameters are applied on the client. However, if the client roams from an anchor to a foreign controller, the per-client downstream rate limiting uses the parameters configured on the anchor controller while upstream rate limiting uses the parameters of the foreign controller.

Examples

The following example shows how to configure the burst real-time actual rate 2000 Kbps for the upstream traffic per SSID:

(Cisco Controller) >config wlan override-rate-limit 2 burst-realtime-rate per-ssid upstream 2000

config wlan passive-client

To configure passive-client feature on a wireless LAN, use the config wlan passive-client command.

config wlan passive-client { enable | disable} wlan_id

Syntax Description

enable

Enables the passive-client feature on a WLAN.

disable

Disables the passive-client feature on a WLAN.

wlan_id

WLAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You need to enable the global multicast mode and multicast-multicast mode by using the config network multicast global and config network multicast mode commands before entering this command.


Note

You should configure the multicast in multicast-multicast mode only not in unicast mode. The passive client feature does not work with multicast-unicast mode in this release.


Examples

The following example shows how to configure the passive client on wireless LAN ID 2:


(Cisco Controller) >config wlan passive-client enable 2

config wlan peer-blocking

To configure peer-to-peer blocking on a WLAN, use the config wlan peer-blocking command.

config wlan peer-blocking { disable | drop | forward-upstream} wlan_id

Syntax Description

disable

Disables peer-to-peer blocking and bridge traffic locally within the controller whenever possible.

drop

Causes the controller to discard the packets.

forward-upstream

Causes the packets to be forwarded on the upstream VLAN. The device above the controller decides what action to take regarding the packets.

wlan_id

WLAN identifier between 1 and 512.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the peer-to-peer blocking for WLAN ID 1:


(Cisco Controller) >config wlan peer-blocking disable 1

config wlan profiling

To configure client profiling on a WLAN, use the config wlan profiling command.

config wlan profiling { local | radius} { all | dhcp | http} { enable | disable} wlan_id

Syntax Description

local

Configures client profiling in Local mode for a WLAN.

radius

Configures client profiling in RADIUS mode on a WLAN.

all

Configures DHCP and HTTP client profiling in a WLAN.

dhcp

Configures DHCP client profiling alone in a WLAN.

http

Configures HTTP client profiling in a WLAN.

enable

Enables the specific type of client profiling in a WLAN.

When you enable HTTP profiling, the Cisco WLC collects the HTTP attributes of clients for profiling.

When you enable DHCP profiling, the Cisco WLC collects the DHCP attributes of clients for profiling.

disable

Disables the specific